Thank you, it’s great to be back speaking to this group. Thank you to Philippe Baumard and Alain Bauer for inviting me. Today I’m going to talk to you about cyber norms and confidence building measures (CBMs) in crisis and in war.

Here is the plan, we’re going to look at a new challenge and I’ll give some background context and then we will go through some of the issues involved in this situation.

In the appendix there is some follow up that we probably won’t have time to discuss.

This talk proposes some wartime cyber norms and confidence building measures where enforcement depends on the aligned self-interest of primary and secondary parties to the conflict. Recognition of self-interest depends on functional analysis of the norms and CBMs that demonstrate desirable outcomes for military cyber stability. That would be strategic stability in terms of nuclear strategic stability and conflict containment.

A hierarchy of common aversions is introduced and the norms of CBMs can be designed against this hierarchy which makes it in the interest of the actors to adhere to the norms or confidence building measures which achieve the outcome.

In the conclusions, we recommend further study and refinement and better understanding of these hierarchies and how they work in actual situations.

So, the new challenge for cyber norms diplomacy is the major war in Europe. Ukraine shows the need for wartime norms and confidence building measures because there are major powers involved as primary and secondary parties, and there is a danger of widening the conflict beyond the local theatre, drawing major powers into the conflict, raising risks of escalation significantly and introducing potential for nuclear exchanges.

Previously, multilateral cyber diplomacy has emphasised voluntary peacetime norms. In 2015, the UN group of experts agreed on a number of cyber norms and confidence building measures which have not been extended much but have been further refined and affirmed. Yet they do not discuss stabilising functions of cyber norms and CBMs nor clarify enforcement mechanisms.

When we move out of peacetime, we ask the question what are the phases of international conflict? What we see here is an adaptation from the literature of international relations on the base structure of the international analysis of conflict.

There is peacetime, there is settlement, there is armed conflict, there is the crisis before the armed conflict, and potentially there are hostilities after the armed conflict. I have renamed the second stage as opposed to pre-conflict hostilities as the struggle for position. This covers aggressive actions associated with the grey zone, which include intelligence struggles, aggressive cyber operations, preparing the battlefield, violating international law and strategic competition. This better captures the situation prior to the outbreak of war in the current international system than in peacetime when there is not much going on.

We’re going to look at the crisis and armed conflict points and what can be done there. To frame the issue, the analytical framework that we use is a multilevel cyber-physical conflict. This gives you a sense of layers from the economic layer up through the security layer with military and intelligence. Notice the critical infrastructure becomes part of this layer, as it is an important target. There is policing and then there is ideation. You can look at economic stability, ideological stability, and military stability.

Figure 2: Context: Dimensions of Multi-level Cyber-physical Conflict, Competition, and Cooperation

Currently, as we enter this conflict with Ukraine and Russia, we already have a number of mechanisms that have been destabilising international security architectures. One is the erosion of confidence in military deterrence because of the strong advantage of offense over defense in cyber.

Another is a structural security dilemma where it is much less expensive to do offense than it is to do defense in cyber. Further, when there are insecurity dilemmas in which cyber risks draw states to increase security, but the counterparties become more secure and increase their efforts, this can lead to an arms race.

Another mechanism is reduced crisis stability; momentum driven conflict has been raised as a problem today, short decision times and potential escalatory pressure and potential catalytic attacks on key infrastructures by third parties. A catalytic attack or a catalytic partner has the aim of provoking the outbreak of conflict among the other parties.

Furthermore, there is the issue of escalating conflict below the threshold of an armed attack, this in the grey zone of operations where things can go wrong. The mining of critical infrastructure has become very serious now. There is also the potential that states may make bad decisions, that they’re not rational actors and this may be due to ideology, group think, bureaucratic politics, internal political logic or just information overload.

In this environment, we have talked about four modes of cyber risk reduction. One of them is state restraint; this would include confidence building measures such as transparency measures which make internal processes more understandable, sharing doctrine procedures, making policies, rolodexes, organisational structures.

There are also cooperative measures which includes trading vulnerabilities, cert to cert communication. And finally, stability measures which are designed to avoid de-escalation, for example the inspection of nuclear facilities or satellite detect launches.

Then there are cyber norms in international law. Another thing is security and resilience which is deterrence by denial that ensures that the cyber-attack does not work. There is also deterrence by punishment, making policies and threatening responses. Or there is persistence engagement which is deterrence by denial and disruption. This is where you defend the enterprise, conduct espionage to support that cyber defense such as call defend forward, and potentially disrupt adversary operations called contest. This was done in the 2016 and 2020 elections in the US.

Our objectives in a crisis or war are to design a set of cyber norms and CBMs to enhance military cyber security. We don’t want things to get worse, we want them to get better. The targets are related between belligerents and non-belligerents because belligerents are probably going to continue their engagement.

Enforcement depends on aligned self-interest of primary and secondary parties to the conflict. Recognition of self-interest depends on a functional analysis of the norms and CBMs that demonstrates desirable outcomes for military cyber stability such as Conflict Containment and Strategic Ability. So, if one does not want the other party to adhere to the conscious building measures or the norms, they must understand why it is in their interest.

The benefits are to maintain crisis stability, reduce the risk of conflicts spreads beyond the local war, avoid unintended and unnecessary escalation to higher conflict intensity, avoid widening the scope to more countries, avoid adverse impacts on civilians and civilian critical infrastructures.

Further, of course maintaining nuclear strategic stability is important among the nuclear weapon states. Ideally, you would like to also build confidence in support of conflict de-escalation and war termination.

The talk is intended to motivate a new area of focus on diplomacy in this area in that the UNGGE which is the UN Group of Government Experts and the UN Open Ended Working Group emphasise primarily peace-time norms. In practice, voluntary adherence to non-binding cyber norms have been problematic during peacetime. Some major powers routinely violated 2015 UNGGE peacetime norms. There is the expectation among many that these norms will be completely ignored during wartime so when the project is done, there is no need for more war. However, the conclusion that I have and that we have developed in collaboration with Russian and Chinese counterparts in dialogues over the past year is that wartime cyber norms and CBMs must be self-enforcing and self-enforcement of these norms depends on the aligned interest of states. This interest depends on symmetric positive goals or common aversions.

So here are some positive symmetric goals. We know that in international conflict, as you go forward the parties must start cooperating more. They want to conduct prisoner exchanges, they want to protect medical facilities and civilians, and they want to engage diplomatically to resolve their dispute. The little point is the outbreak of conflict. War time norms and CBMs may leverage positive interest during these stages.

I developed a Common Aversion Hierarchy. At the top is strategic nuclear war, then there is limited nuclear war among major powers which is something that everyone is trying to avoid, especially in NATO and in the Russian context, both sides are trying to do that. Further, there is the destruction of non-belligerent critical infrastructure, which nobody has done, attacks on civilian population outside the war zone, avoiding a proxy war with a major power, then there is the local conventional war between a lesser and major power, cyber-attacks on national critical infrastructures during crises, and information attacks during crises. These are a draft set of levels in the Common Aversion Hierarchy, it is something to think about hard, and what I’ve got wrong and what I’ve got right with this Hierarchy.

Figure 4: Common Aversion Hierarchy

The wartime enforcement of cyber norms and CBMs are based on 6 key assumptions.

Now, I will discuss some confidence building measures that states can likely support under wartime conditions. My number one suggestion is communications. Communication channels must be maintained in order to understand counter-party perceptions, manage crises, protect against 3^rd party cyber-attacks and negotiate settlement. There are various channels that can be used and various links that you might need. These could be digital, or they could be in-person links, such as phone calls or video conferencing over the internet.

The next one is moderation. Non-belligerents should moderate cyber espionage and refrain from disruptive cyber-attacks against belligerents during a war because the target may interpret these actions as preparation for the battlefield or direct attacks and which may trigger responses. This is particularly important for military systems and critical infrastructures. States are very sensitive about the significantly higher level of penetration of critical infrastructure since the advent of the Ukraine war and that includes Russia, NATO, and The United States.

The third one is to deter catalytic actors. Non-state actors may act, for example launching cyber-attacks on Russian critical infrastructure, and if these attacks emanate from a western country, the Russians may believe a state is responsible. This is a problem. In this situation, adversaries need to accurately identify the attacker and determine and respond to such incident. All the major powers are concerned about this important issue.

Law enforcement cooperation can help develop the ability to coordinate and act jointly to attribute and pursue cyber criminals or non-state actors which threaten critical infrastructures, for example with ransomware attacks.

Cyber security cooperation can help with reporting and closing vulnerabilities in critical infrastructure that may be exploited by catalytic actors or criminals. CERT to CERT information sharing of information may help both sides to protect critical infrastructures and avoid these kinds of destabilising issues in the first place.

Coordinating cyber defense can help protect shared international critical infrastructures such as maritime, aviation, space, telecommunication, energy and finance.

The top cyber norm is to not interfere with the NC⁴ISR (nuclear command, control, computers, intelligence, surveillance, and reconnaissance) of other states. This can undermine nuclear strategic stability with potentially disastrous results.

Non-belligerents should not impair the ability of military systems of belligerents to function through direct cyber-attacks. Obviously, the victims are going to get excited about that.

In terms of critical infrastructure, non-belligerents should not impair the functioning of critical infrastructure of belligerents because a significant attack can draw them into the war.

States should not penetrate critical infrastructures to prepare cyber-attacks on them. Implants or unauthorized control could be hijacked by 3^rd parties and the original actor blamed for the attack. This is receiving increasing attention by governments.

Finally, states should seek to protect shared critical infrastructure from cyber-attacks. Focusing on best practices, anticipatory threat analysis, vulnerability reporting, and rapid remediation.

The last norm is duty to assist. States should pursue criminal, or terrorist elements engaged in malign cyber or influence operations from their territory because they are required to do so under international law and because they may otherwise be held responsible for them. States should cooperate with other states to defend against hostile cyber or influence operations against public health functions whether conducted by state or non-sate actors.

Bio-cyber norms are an important issue on which we have worked on previously. Many people died during the pandemic because of propaganda against wearing protective masks and receiving vaccines against COVID-19 to enhance immunity.

Here are some conclusions concerning the Russia-Ukraine War:

• The US and NATO have exercised caution in their support for Ukraine to avoid becoming co-belligerents.

• Russia has exercised restraint in its cyber operations against NATO and the US to avoid triggering NATO Article 5.

• Russia was kept on the Internet when the early sanctions required removal of peering equipment and supporting software from Russia. This was reconsidered, the specific sanctions waived, Russia remained on the internet, and the ability to communicate with Russia was maintained.

• Russia and NATO have both become alert to catalytic actors. They have learned through incidents involving non-state actors, but they need to remain vigilant to handle future incidents.

• In practice, both sides are establishing wartime cyber norms even if there is little open discussion about the explicit or implicit rules so far.

• The CBMs and norms proposed here may help broaden this emerging foundation of wartime cyber norms.

More generally, CBMs and cyber norms can help stabilise crises and contain wartime conflict. The effectiveness of wartime cyber norms depends on the features of the case. It is easier for the Russia-Ukraine War because major powers are not in direct military conflict. By contrast, a China-Taiwan contingency is more likely to involve major powers in direct conflict and reduce the effectiveness of the common aversion hierarchy as a mechanism of self-enforcement.

Engineering functional cyber norms and CBMs for military cyber stability is easier during peace time than during wartime. Nonetheless, it must be done for crisis situations to improve crisis stability and for wartime to reduce accidental or unintended escalation.

Finally, we need more research to understand how cyber norms and CBMs can work during crisis and war and to better understand the mechanisms of self-enforcement.